Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AppArmor support #24

Open
13 of 19 tasks
timstclair opened this issue Jul 14, 2016 · 147 comments
Open
13 of 19 tasks

AppArmor support #24

timstclair opened this issue Jul 14, 2016 · 147 comments
Assignees
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/node Categorizes an issue or PR as relevant to SIG Node. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team
Milestone

Comments

@timstclair
Copy link

timstclair commented Jul 14, 2016

Description

Add AppArmor support to Kubernetes. Initial support should include the ability to specify an AppArmor profile for a container or pod in the API, and have that profile applied by the container runtime.

Progress Tracker

FEATURE_STATUS is used for feature tracking and to be updated by @kubernetes/feature-reviewers.
FEATURE_STATUS: BETA

More advice:

Design

  • Once you get LGTM from a @kubernetes/feature-reviewers member, you can check this checkbox, and the reviewer will apply the "design-complete" label.

Coding

  • Use as many PRs as you need. Write tests in the same or different PRs, as is convenient for you.
  • As each PR is merged, add a comment to this issue referencing the PRs. Code goes in the http://github.com/kubernetes/kubernetes repository,
    and sometimes http://github.com/kubernetes/contrib, or other repos.
  • When you are done with the code, apply the "code-complete" label.
  • When the feature has user docs, please add a comment mentioning @kubernetes/feature-reviewers and they will
    check that the code matches the proposed feature and design, and that everything is done, and that there is adequate
    testing. They won't do detailed code review: that already happened when your PRs were reviewed.
    When that is done, you can check this box and the reviewer will apply the "code-complete" label.

Docs

  • Write user docs and get them merged in.
  • User docs go into http://github.com/kubernetes/kubernetes.github.io.
  • When the feature has user docs, please add a comment mentioning @kubernetes/docs.
  • When you get LGTM, you can check this checkbox, and the reviewer will apply the "docs-complete" label.
@timstclair
Copy link
Author

Original issue here: kubernetes/kubernetes#22159

@idvoretskyi idvoretskyi modified the milestone: v1.4 Jul 18, 2016
k8s-github-robot pushed a commit to kubernetes/kubernetes that referenced this issue Jul 25, 2016
Automatic merge from submit-queue

AppArmor design proposal

For kubernetes/enhancements#24

/cc @kubernetes/sig-node @erictune @matchstick
@idvoretskyi idvoretskyi added the sig/node Categorizes an issue or PR as relevant to SIG Node. label Aug 4, 2016
@janetkuo
Copy link
Member

janetkuo commented Sep 2, 2016

@timstclair it looks like the docs PR number is outdated. Please update the PR number and check the docs box once it's done

@timstclair
Copy link
Author

Fixed. Thanks @janetkuo !

@timstclair
Copy link
Author

Docs kubernetes/website#1147 - @kubernetes/docs

@devin-donnelly
Copy link

Is there an issue? I merged this one in last week.

On Sep 21, 2016 1:30 PM, "Tim St. Clair" notifications@github.com wrote:

Docs kubernetes/website#1147
kubernetes/website#1147 -
@kubernetes/docs https://github.com/orgs/kubernetes/teams/docs


You are receiving this because you are on a team that was mentioned.
Reply to this email directly, view it on GitHub
#24 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ARmNwOTArylXQHoAoz2lMTsKhg9luaTYks5qsZPlgaJpZM4JMBOR
.

@timstclair
Copy link
Author

No, I was just following the instructions at the bottom of the issue, which I hadn't done before...

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 2, 2018
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 7, 2018
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@liggitt liggitt reopened this Mar 15, 2018
@liggitt
Copy link
Member

liggitt commented Mar 15, 2018

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Mar 15, 2018
@justaugustus
Copy link
Member

@tallclair @liggitt
Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

  • Description
  • Milestone
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

cc @idvoretskyi

@sreeram-venkitesh sreeram-venkitesh added the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Jun 24, 2024
@mbianchidev
Copy link
Member

Hey hey @tallclair @vinayakankugoyal

👋 from the v1.31 Communications Team!

We'd love for you to opt in to write a feature blog about your enhancement! Some reasons why you might want to write a blog for this feature include (but are not limited to) if this introduces breaking changes, is important to our users, or has been in progress for a long time and is graduating.

To opt in, let us know and open a Feature Blog placeholder PR against the website repository by 3rd July, 2024. For more information about writing a blog see the blog contribution guidelines.

Note: In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

Reminder of the 3rd of July deadline!
It's totally fine to also opt out if you don't think that writing a blog is useful for our users or if you don't have time (in that case team comms can also help you out 👀 )

@natalisucks
Copy link

Hello @timstclair 👋, 1.31 Docs Shadow here. Does this enhancement work planned for 1.31 require any new docs or modification to existing docs?
If so, please follows the steps here to open a PR against dev-1.31 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday June 27, 2024 18:00 PDT.
Also, take a look at Documenting for a release to get yourself familiarised with the docs requirement for the release.
Thank you!

Hello @tallclair @vinayakankugoyal, @timstclair, Just a reminder to open a placeholder PR against the dev-1.31 branch in the k/website repo, if this enhancement work requires new additions or modifications to existing docs. The deadline for this is a week away at Thursday, June 27, 2024, 18:00 PDT.

Howdy @timstclair and @vinayakankugoyal, SIG Docs co-chair here 👋 I wanted to add another reminder about the docs deadline for this enhancement: updating feature gates qualifies as requiring documentation as far as Release Docs is concerned, so please check out @Princesso's reminder above to ensure you meet the deadline today

@vinayakankugoyal
Copy link
Contributor

@natalisucks - I added a draft PR for this feature. Thanks!

@sftim
Copy link
Contributor

sftim commented Jul 1, 2024

A question, is the annotation apparmor.security.beta.kubernetes.io/defaultProfileName deprecated? If so, what's the new mechanism?

@vinayakankugoyal
Copy link
Contributor

We have a new field.containers[*].securityContext.appArmorProfile.type:

@sftim
Copy link
Contributor

sftim commented Jul 1, 2024

OK, cool. The new thing is documented; we also need to document the deprecated thing (and tell people to switch to the new thing). We leave deprecated annotations documented forever.

@prianna
Copy link

prianna commented Jul 9, 2024

Hey again @vinayakankugoyal and @tallclair 👋 Enhancements team here,

Just checking in as we approach code freeze at 02:00 UTC Wednesday 24th July 2024 / 19:00 PDT Tuesday 23rd July 2024.

Here's where this enhancement currently stands:

  • All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
  • All PR/s are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

For this enhancement, it looks like the following PRs are open and need to be merged before code freeze:

Please let me know if there are other PRs in k/k we should be tracking for this KEP, and please update your enhancement description with the requisite PRs.

If you anticipate missing code freeze, you can file an exception request in advance. As always, we are here to help if any questions come up. Thanks!

@prianna prianna moved this from Tracked for Enhancements Freeze to At Risk for Code Freeze in 1.31 Enhancements Tracking Jul 9, 2024
@sreeram-venkitesh
Copy link
Member

@vinayakankugoyal Please let us know if kubernetes/kubernetes#125257 is the only PR that we need to track for this KEP.

@vinayakankugoyal
Copy link
Contributor

Hi @sreeram-venkitesh. Yes kubernetes/kubernetes#125257 is the only PR associated with this KEP.

@sreeram-venkitesh
Copy link
Member

Awesome, marking the KEP as tracked for code freeze 🎉 Thanks @vinayakankugoyal!

@sreeram-venkitesh sreeram-venkitesh moved this from At Risk for Code Freeze to Tracked for Code Freeze in 1.31 Enhancements Tracking Jul 23, 2024
@Princesso Princesso moved this from Tracked for Code Freeze to Tracked for Doc Freeze in 1.31 Enhancements Tracking Jul 29, 2024
@kannon92 kannon92 moved this from Triage to Proposed for consideration in SIG Node 1.32 KEPs planning Aug 22, 2024
@tjons
Copy link
Contributor

tjons commented Sep 7, 2024

@tallclair in preparation for the next release, now that this KEP has been implemented, would you kindly update the KEP status to implemented and then close this out, unless there's remaining work to conduct in the 1.32 release cycle?

@haircommander haircommander moved this from Proposed for consideration to Not for release in SIG Node 1.32 KEPs planning Sep 12, 2024
@haircommander
Copy link
Contributor

I moved this for Not for release because I don't see any work we'll be doing here for 1.32 as it's already GA

@tjons
Copy link
Contributor

tjons commented Sep 15, 2024

Hello 👋 1.32 Enhancements Lead here,

I'm closing milestone 1.31 now,
If you have more work on this enhancement to complete in v1.32, please follow the instructions here to opt in the enhancement and make sure the lead-opted-in label is set so it can get added to the tracking board and finally add /milestone v1.32. Thanks!

/milestone clear

@k8s-ci-robot k8s-ci-robot removed this from the v1.31 milestone Sep 15, 2024
@tjons
Copy link
Contributor

tjons commented Sep 16, 2024

Inadvertently added this to the 1.32 tracking board

/remove-label lead-opted-in

@k8s-ci-robot k8s-ci-robot removed the lead-opted-in Denotes that an issue has been opted in to a release label Sep 16, 2024
@tallclair tallclair added this to the v1.34 milestone Sep 19, 2024
@tallclair
Copy link
Member

Remaining work, copied from the KEP (https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/24-apparmor/README.md#removing-annotation-support)

  • Phase 1 (v1.30): AppArmor field support merged (AppArmor fields API kubernetes#123435)
    • Sync annotations & fields on Pod create (version skew strategy described above)
    • Warn on annotation use, if field isn't set
    • Kubelet copies static pod annotations to fields
  • Phase 2 (v1.34):
    • API server stops copying fields to annotations
    • Warn on ALL annotation use
    • Risk: policy controllers that don't consider field values
  • Phase 3 (v1.36): End state
    • API server stops copying annotations to fields
    • Kubelet stops copying annotations to fields for static pods
    • Validation that annotations & fields match persists indefinitely
    • Risk: workloads that haven't migrated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/node Categorizes an issue or PR as relevant to SIG Node. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team
Projects
Status: Removed From Milestone
Status: Tracked for Doc Freeze
Status: Not for release
Status: Tracked for Doc Freeze
Development

No branches or pull requests